EP3901720A1 - Essai d'intégrité pour systèmes de commande d'installations techniques - Google Patents

Essai d'intégrité pour systèmes de commande d'installations techniques Download PDF

Info

Publication number
EP3901720A1
EP3901720A1 EP20170955.7A EP20170955A EP3901720A1 EP 3901720 A1 EP3901720 A1 EP 3901720A1 EP 20170955 A EP20170955 A EP 20170955A EP 3901720 A1 EP3901720 A1 EP 3901720A1
Authority
EP
European Patent Office
Prior art keywords
operator
station server
operator station
action
integrity check
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP20170955.7A
Other languages
German (de)
English (en)
Inventor
Benjamin Lutz
Anna Palmin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to EP20170955.7A priority Critical patent/EP3901720A1/fr
Priority to PCT/EP2021/060450 priority patent/WO2021214181A1/fr
Publication of EP3901720A1 publication Critical patent/EP3901720A1/fr
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
    • G05B19/4184Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by fault tolerance, reliability of production system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24008Safety integrity level, safety integrated systems SIL SIS
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Definitions

  • the invention relates to an operator station server of a control system for a technical system, in particular a manufacturing or process system, which is designed and provided to receive a request for an operator action from an operator of the technical system and to carry out the operator action with the Features of claim 1.
  • the invention also relates to a control system for a technical installation according to claim 10 and a method according to claim 11.
  • the term "integrity" means protection against unnoticed manipulation of software services and components.
  • mechanisms for protecting the integrity are being used more and more frequently in the software specially developed for process engineering systems. Nevertheless, it often happens that it is only through a complex error analysis following a failed execution of a certain operating action (e.g. changing a control value) that it is determined that the cause was a faulty or corrupt software service.
  • the performance of the software is usually determined by an integrity check carried out over the entire software severely impaired.
  • An integrity check usually includes the calculation of one or more values using cryptographic algorithms. Such algorithms are made more and more efficient - for example through their implementation in hardware and continuous further development of processors. Nevertheless, they still remain very computationally intensive - especially when used on larger software components. For this reason, the time intervals for the cyclical test are chosen to be as large as possible. This in turn has the consequence that the operator actions that require the calling of services and whose integrity was already violated at the time of initiation are initiated despite the manipulated services and thus impair the reliability, availability and integrity of the (procedural) plant.
  • the invention is based on the object of specifying a control system and an associated operator station server of a technical installation, the integrity of which can be checked more efficiently and in a way that conserves resources.
  • the object is achieved according to the invention in that the operator station server is designed and provided to carry out an integrity check on components of the control system affected by the operator action before the operator action is performed.
  • a control system is understood to be a computer-aided technical system that has functionalities for displaying, operating and managing a technical system such as a manufacturing or production plant.
  • the control system includes sensors for determining measured values as well as various actuators.
  • the control system includes so-called process or production-related components that are used to control the actuators or sensors.
  • the control system has, among other things, means for visualizing the technical system and for engineering.
  • the term control system also includes further processing units for more complex regulations and systems for data storage and processing.
  • the technical system can be a system from the process industry, such as a chemical, pharmaceutical, petrochemical or a system from the food and beverage industry. This also includes any systems from the production industry, plants in which, for example, cars or goods of all kinds are produced.
  • Technical systems which are suitable for carrying out the method according to the invention can also come from the field of energy generation. Wind turbines, solar systems or power plants for energy generation are also included in the term technical system.
  • a component can be individual sensors or actuators in the technical system.
  • a component can also be a combination of several sensors and / or actuators, for example a motor, a reactor, a pump or a valve system.
  • the term "component” includes computer-implemented services of the control system. Examples of this can be found in the description of the exemplary embodiment.
  • an "operator station server” is understood to mean a server that centrally records data from an operator control and monitoring system and, as a rule, alarm and measured value archives of a (process) control system of a technical installation and makes them available to users represents.
  • the operator station server usually establishes a communication link to the automation systems of the technical system and forwards data from the technical system to so-called clients, which are used to operate and monitor the operation of the individual functional elements of the technical system.
  • the operator station server can have client functions to access the data (archives, messages, tags, variables) of other operator station servers. This means that images of an operation in the technical system on the operator station server can be combined with variables from other operator station servers (server-server communication).
  • the operator station server can, without being limited to this, be a SIMATIC PCS 7 industrial workstation server from SIEMENS.
  • An operator is understood to be a human operator of the technical installation or the control system.
  • the operator interacts with the technical system or the control system by means of special user interfaces and controls special technical functions of the system.
  • the operator can use an operating and monitoring system of the control system.
  • An operator action is understood to be the technical intervention in a technical functionality of the technical system. For example, this can mean changing a manipulated variable, acknowledging an alarm message or changing a parameter.
  • the operating action is triggered by an (operating) request from an operator of the technical system to the control system of the technical system.
  • the (operating) request can be directed to the operator station server by means of an operator station client, which can effect the execution of the operator action (directly or indirectly).
  • the operator station server can determine whether a component that is affected by the operator action to be triggered is integer, i.e. is designed in the way the operator station server expects. For example, as part of the integrity check, the operator station server can check whether a key figure characteristic of the component matches the expected (target) key figure. For this purpose, the operator station server can, for example, query hash values and / or certificates of the relevant components and compare them with (target) values known to it in order to check the integrity of the components.
  • the integrity check is limited to the components that are affected by the operator action. As a result of this restriction, the resources required are significantly reduced compared to previously known methods. Only those components are specifically examined that are actually involved in the execution of an operator action and not the entire control system, for example. "Affected” refers to the components that are involved in the execution of the operating action requested by the operator. The components concerned do not necessarily have to be assigned to just one operator station server. Rather, the components can be distributed in the technical installation or the control system and thus implemented, for example, on several operator station servers or other servers.
  • the integration check also takes place before the actual operating action is carried out, so that a manipulated operating action may not be performed at all.
  • it can be stored in a data memory.
  • This data memory can be located within the technical system. It is also possible for the data storage to be cloud-based and possibly located outside the technical system.
  • a cloud is understood to mean a computer network with online-based storage and server services. The data stored in the cloud are accessible online so that the technical system has access to a central data archive in the cloud via the Internet.
  • a stateless alarm message can be generated and stored in the data memory.
  • the stateless alarm message can include information about the type of the requested operating action, which components are affected by the operating action and what the result of the integration check is.
  • the integrity check can run automatically in the background without the operator being explicitly aware of or being able to influence this.
  • the essential benefit of the invention lies in the fact that possible errors can be clearly assigned to specific operating actions for a later audit in order to be able to carry out an error evaluation efficiently afterwards.
  • the operator before the request is made, the operator can be presented visually with a selection option as to whether the integration check for the operator action is to be carried out (or not).
  • the operator can thus specifically decide whether an operator action is, for example, so important that an integrity check is useful.
  • the operator station server can advantageously be designed and provided to explicitly present the result of the integrity check to the operator visually.
  • the operator station server can particularly advantageously be designed and provided to visually present the operator with a selection option as to whether the operator action should actually be carried out in the event of a negative integrity check before the operating action is carried out. Since availability has a high priority in process engineering systems, the operator action, the affected components of which have not passed the integrity check, is not aborted immediately, but only delayed for a time in order to give the operator the opportunity to decide whether he wants to have effected the operator action despite the negative integrity check.
  • control system 1 comprises a first server of an operating system or a first operator station server 2, a second operator station server 3 and an operator station client 4.
  • the two operator station servers 2, 3 and the operator station client 4 are connected via a terminal bus 5 connected to one another and to other components of the control system 1, not shown, such as an engineering system server or a process data archive.
  • a user or operator has access to the operator station server 2, 3 by means of the operator station client 4 by means of the terminal bus 5 in the context of operating and monitoring.
  • the first operator station server 2 has a first device interface 6 which is connected to a system bus 7.
  • the second operation station server 3 has a second device interface 8, which is also connected to the system bus 7.
  • the operator station servers 2, 3 can communicate with an (external) device 9 such as an automation station via the device interfaces 6, 8.
  • the connected device 9 can also be an application, in particular a web application.
  • any number of devices and / or applications 9 can be connected to the operator station servers 2, 3.
  • the plant bus 7 can, without being limited thereto, be designed, for example, as an industrial Ethernet.
  • the device 9 can in turn be connected to any number of subsystems (not shown).
  • a visualization service 10, 11 is integrated in each of the operator station servers 2, 3, via which (visualization) data can be transmitted to the operator station client 3.
  • the operator station servers 2, 3 each have a process image 12, 13. Snapshots of the (signal) states of the devices and / or applications 9 connected to the operator station servers 2, 3 via the device interfaces 6, 8 are stored in the process images 12, 13 of the operator station servers 2, 3.
  • An investigation service 14, 15 is implemented in both operator station servers 2, 3.
  • the determination services 14, 15 each include a configuration database 16, 17 and a validation service 18, 19, the functions of which are shown below on the basis of an exemplary operating action by an operator of the Control system 1 (here: acknowledging an alarm message).
  • CAs Certification authorities
  • CAs Root Certification authorities
  • Their certificates can (just like the certificates of the subordinate CAs) have been installed, for example, as part of a secure installation routine of the control system 1.
  • an alarm interface 21 and a distribution service 22 of the first operator station server 2 are affected by the operator action.
  • a distribution service 23 and the process image 12 of the second operator station server 3 are affected by the operator action.
  • the validation service 18 of the first operator station server 2 checks (step III) whether the integrity of the components involved in the operator action is given. As part of the validation, the hash values for the software components involved are formed and these hash values are compared with the trustworthy hash values of the manufacturer that are securely stored in the configuration database 15. The result of the integrity check is reported back to the operator (step IV). In the event of a positive integrity check, the operator action, i.e. the acknowledgment of the alarm message, is carried out (step V).
  • a negative integrity check the operator is visually presented with a choice that can decide whether the actual acknowledgment of the alarm message should still be carried out (even in the case of a negative integrity check, this may be desirable / necessary in some cases), or whether the The cause of the lack of integrity is to be determined and rectified.
  • a stateless alarm is triggered and stored in a data memory (not shown) of the control system 1. This means that all processes for an audit trail are documented, which ensures traceability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Manufacturing & Machinery (AREA)
  • Quality & Reliability (AREA)
  • Automation & Control Theory (AREA)
  • Testing And Monitoring For Control Systems (AREA)
EP20170955.7A 2020-04-22 2020-04-22 Essai d'intégrité pour systèmes de commande d'installations techniques Withdrawn EP3901720A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20170955.7A EP3901720A1 (fr) 2020-04-22 2020-04-22 Essai d'intégrité pour systèmes de commande d'installations techniques
PCT/EP2021/060450 WO2021214181A1 (fr) 2020-04-22 2021-04-21 Essai d'intégrité dans des systèmes de commande d'installations techniques

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP20170955.7A EP3901720A1 (fr) 2020-04-22 2020-04-22 Essai d'intégrité pour systèmes de commande d'installations techniques

Publications (1)

Publication Number Publication Date
EP3901720A1 true EP3901720A1 (fr) 2021-10-27

Family

ID=70417372

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20170955.7A Withdrawn EP3901720A1 (fr) 2020-04-22 2020-04-22 Essai d'intégrité pour systèmes de commande d'installations techniques

Country Status (2)

Country Link
EP (1) EP3901720A1 (fr)
WO (1) WO2021214181A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160116893A1 (en) * 2014-10-24 2016-04-28 Ronald Lance Justin Autonomous control systems and methods
US20160359866A1 (en) * 2015-06-05 2016-12-08 Fisher-Rosemount Systems, Inc. Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity
US20160379000A1 (en) * 2015-06-23 2016-12-29 Adventium Enterprises, Llc Dynamically measuring the integrity of a computing apparatus
CN110011848A (zh) * 2019-04-03 2019-07-12 鼎信信息科技有限责任公司 一种移动运维审计系统
US20190236313A1 (en) * 2018-01-26 2019-08-01 Rockwell Automation Technologies, Inc. Authenticated backplane access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160116893A1 (en) * 2014-10-24 2016-04-28 Ronald Lance Justin Autonomous control systems and methods
US20160359866A1 (en) * 2015-06-05 2016-12-08 Fisher-Rosemount Systems, Inc. Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity
US20160379000A1 (en) * 2015-06-23 2016-12-29 Adventium Enterprises, Llc Dynamically measuring the integrity of a computing apparatus
US20190236313A1 (en) * 2018-01-26 2019-08-01 Rockwell Automation Technologies, Inc. Authenticated backplane access
CN110011848A (zh) * 2019-04-03 2019-07-12 鼎信信息科技有限责任公司 一种移动运维审计系统

Also Published As

Publication number Publication date
WO2021214181A1 (fr) 2021-10-28

Similar Documents

Publication Publication Date Title
EP3562089B1 (fr) Gestion automatisée des certificats
DE102004003605B4 (de) Integriertes Diagnosesystem in einer Prozessanlage mit einem Prozesssteuerungssystem und einem Sicherheitssystem
EP3605253B1 (fr) Initialisation automatisée des infrastructures à clé publique
EP3264208B1 (fr) Procede d'actualisation d'objets de processus dans un systeme d'ingenierie
EP2908195B1 (fr) Procédé de surveillance de la sécurité dans un réseau d'automatisation et réseau d'automatisation
EP4073602B1 (fr) Système de guidage pour installations technique pourvu de gestion de certificats
EP3951516A1 (fr) Système et procédé de vérification des composants d'un système de commande industriel
EP3379351B1 (fr) Procédé de fonctionnement d'un dispositif d'automatisation et dispositif d'automatisation
EP3624413A1 (fr) Gestion automatique de certificats pour installations d'automatisation
EP3985532B1 (fr) Gestion des certificats pour installations techniques
EP4099114A1 (fr) Procédé de détection d'une commande restreinte et d'observation d'une installation technique, système de commande et d'observation et système de contrôle de processus
EP3901720A1 (fr) Essai d'intégrité pour systèmes de commande d'installations techniques
EP3851923B1 (fr) Système de guidage pour installations technique pourvu de gestion de certificats
WO2019096645A1 (fr) Procédé et dispositif destinés à déterminer informatiquement un degré de gravité d'une violation constatée de l'intégrité
EP3699705A1 (fr) Procédé de surveillance d'un réseau de communication industriel, système de sécurité, réseau de communication industriel, programme informatique et support lisible par ordinateur
EP3537323A1 (fr) Gestion des certificats relatif à un projet
EP4113928A1 (fr) Système de commande pour une installation technique et procédé d'émission d'une demande de certificat pour un composant d'installation
EP3912002B1 (fr) Journal d'audit de sécurité contextuel d'un système technique
DE102019105135A1 (de) Verfahren zum Überwachen eines industriellen Netzwerks
EP4432602A1 (fr) Procédé de présentation d'un certificat et site d'enregistrement mis en uvre par ordinateur
EP3783449A1 (fr) Allocation des appareils d'une installation technique
EP3686697A1 (fr) Optimisation du régulateur pour un système de commande d'une installation technique
EP4333364A1 (fr) Procédé de surveillance d'inventaire de composants mis en uvre par ordinateur
EP4199414A1 (fr) Système de commande d'une installation technique et ??service de surveillance mis en uvre par ordinateur
EP4333363A1 (fr) Procédé de présentation d'un certificat et site d'enregistrement mis en uvre par ordinateur

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

B565 Issuance of search results under rule 164(2) epc

Effective date: 20201006

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20220429